Digital Privacy and Ethics: Privacy Intelligence as a Cornerstone

The inclusion of digital privacy and ethics drew some media attention on the Gartner Top 10 Strategic Technology Trends for 2019[1]list for a few prosaic reasons. To start, this is the first time the leading analyst firm has identified digital privacy and ethics as a strategic technology trend. Second, unlike other trends on the list, such as AI-driven development, blockchain or digital twins, digital privacy and ethics doesn’t fit the strict description of a technology.

The inclusion on the Gartner list is, of course, noteworthy, but hardly surprising. Digital privacy and data protection have emerged as a critical consideration for both business and politics in the 21st century. And while digital privacy isn’t a discrete technology category, digital privacy and ethics are challenges that need to be resolved in large part through technology. In fact, BigID was purpose designed to enable organizations to operationalize privacy compliance and inject privacy intelligence into security and data management infrastructure.

Digital Privacy and Privacy Intelligence

What’s overlooked in the media analysis is the ‘and’ in the inclusion of digital privacy and ethics as a strategic trend. As the report points out: “Best practice means focusing not only on what you have to do but on what you should do ethically with regard to issues such as specific applications of AI or the creation of digital twins of people for marketing purposes.”[2]

Of course, enterprises have to systematically and sustainably address data privacy compliance requirements, like the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), to avoid fines and reduce risk.

But just as important is how enterprises approach the question of what they should be doing with personal data and information. This is where privacy intelligence comes into the picture. Without a clear understanding of what and whose data enterprises are dealing with, they cannot scale and sustainably address compliance or digital privacy ethics.

Without direct insight into the context and correlation of personal data, privacy policies for compliance or ethical consideration function at best on educated guesses, and at worst, in a vacuum. Actionable data privacy intelligence must be integral to how organizations collect, process and interact with data.

But in a more tangible sense, any competitive enterprise that has run afoul of regulators and auditors, or has not managed personal data in an ethical fashion, also diminishes its ability to transform into a data-driven business. If data is the new oil, loss of trust means less oil to fuel business insights and make long-term strategic decisions.

Trust, But Verify

Expanding from privacy to ethics moves the conversation beyond “are we compliant” toward “are we doing the right thing”. To address digital privacy and ethics, enterprises must be able to demonstrate to regulators and auditors, as well as customers, partners, and consumers that the stated data accountability and transparency policies are consistently and automatically enforced and continuously validated.

Mind Compliance

GDPR is likely to be the first compliance mandate that comes to mind when organizations consider how to tackle privacy concerns. But for those who sighed in relief or went as far as blocking visitors from EU IP addresses, the respite has been brief. With the introduction of the CCPA, the Brazil Privacy Law and Canadian provinces tightening their breach disclosure requirements, there are fewer options for companies looking to elude having to comply with data privacy mandates.

Locating data centers to align with data jurisdiction and residency requirements is a partial answer. Enterprises should be able to maintain a comprehensive inventory and mapping of where and whose personal data is stored and processed, not only to address data subject rights but also to be able to protect data based on associated compliance mandate (as well as retention requirements). This is where BigID’s privacy intelligence can play a key enabling role.

Mitigate Risk

Risk is not an absolute measure, but in the context of compliance, it’s the cost-benefit analysis of operations without falling foul of regulators and auditors. A cornerstone principle of GDPR is the concept of continuous compliance. To mitigate risk based on internal considerations, enterprises need a tool to proactively assess, evaluate and validate that their data collection, processing, and transfers are in compliance. The alternative is unmanaged risk.

To address continuous compliance and meaningfully manage risk, enterprises ultimately need granular visibility by an individual across the data lifecycle – as well as the ability to align legal purpose under CCPA and the lawful basis of processing under GDPR, including consent, against actual data processing steps. Here again, privacy intelligence provides the insight for those Data Subject Access Rights.

Also, to take a proactive risk mitigation, organizations must be able to honor and comply in a timely fashion with the Right to Be Forgotten and Data Portability requirements. Through the ability to correlate and index personal data, privacy intelligence enables organizations to more effectively and efficiently meet specific regulatory requirements.

Making a Difference

How can embracing data privacy ethics make a difference? First, making sure the objective of data privacy programs is not only to keep off the radar of regulators but also to underline that key corporate value can reassure customers and partners that the trust is well placed. After all, without trust, enterprises run the risk of falling behind in fueling a data-driven business.

By adopting the principles of privacy by design and building in privacy, engineering teams can, in fact, be a path to competitive differentiation. Gartner explains, “an example of making a difference at a commercial enterprise would be implementing the principles of ‘privacy by design’ to position your products and services as more privacy-friendly than those of competitors.”[3]

In practical terms, this means privacy policies are programmatically integrated into application, design, and deployment, and that the privacy risk evaluation is embedded into the data pipeline.

Privacy intelligence enables enterprises to start with an entity-centric data registry that can leverage metadata insights and propagate privacy insights through tags across the data pipeline. This can be integrated with data catalogs, so data stewards and data consumers have the context they need to make the right decisions.

By integrating consent governance and preference management, enterprises have a programmatic and operational workflow to determine whether they should be collecting personal data.

Following Your Values

Compliance has historically been the driver for changes in policies, process and technology acquisition. For digital privacy and ethics, the point may be to look to the spirit, not just the letter of the law – making accountability and transparency foundational values relies on the ability to operationalize privacy policies. Without the right tools, visibility and enforcement in place, those values remain abstract.

As Gartner points out, “building customer trust in an organization is difficult, but losing it is easy.”[4]Maintaining trust by both complying with proliferating privacy compliance mandates and ensuring the right decisions are made about personal data requires privacy intelligence. Digital privacy and ethics encompass many facets of how enterprises conduct their business, but without the ability to marry policies to personal data – and specific insights into whose data it is – even the best-laid plans can fall short.

[1]2 Gartner, “Top 10 Strategic Technology Trends for 2019,” David Cearley, Brian Burke, October 15, 2018 – NOTE: This document, while intended to inform our clients about the current data privacy and security challenges experienced by IT companies in the global marketplace, is in no way intended to provide legal advice or to endorse a specific course of action.